E.M. Clarke, O. Grumberg, and M.C. Browne. Reasoning about networks with many identical finite-state processes. In Proc. 5th ACM Symp. on Principles of Distributed Computing, pages 240--248, Calgary, Alberta, August 1986.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....into subclasses for which methods are available for generalisation is suggested and examples given. One of the most widely used approaches to tackling the PMCP when processes of a system are isomorphic (that is, they are identical up to labelling) is the synthesis of network invariants [3] [6]. In [7] a similar approach is used to show how certain properties of a modified version of the tree identifition stage of the IEEE FireWire protocol (the MTIP) can be proven for any size of network provided that the processes have a star topology. This approach involves a combination of ....

....B. The abstracted star configuration In this section we introduce a technique based on abstraction and induction to prove safety properties of the TIP (for example our property 4) for a star topology for any number of processes. One can not hope to prove the properties using induction alone [4] [6], because the behaviour of the ####### #### process depends upon the total number of processes. However, an important observation is that for a star topology consisting of # processes, much of the behaviour of the ####### #### processes depends upon whether the number of messages that have at ....

M. Browne, E. Clarke, and O. Grumberg, "Reasoning about networks with many identical finite state processes," Information and Computation, vol. 81, pp. 13--31, 1989.

....into subclasses for which methods are available for generalisation is suggested and examples given. One of the most widely used approaches to tackling the PMCP when processes of a system are isomorphic (that is, they are identical up to labelling) is the synthesis of network invariants [3] [6]. In [7] a similar approach is used to show how certain properties of a modified version of the tree identifition stage of the IEEE FireWire protocol (the MTIP) can be proven for any size of network provided that the processes have a star topology. This approach involves a combination of ....

....B. The abstracted star configuration In this section we introduce a technique based on abstraction and induction to prove safety properties of the TIP (for example our property 4) for a star topology for any number of processes. One can not hope to prove the properties using induction alone [4] [6], because the behaviour of the Central node process depends upon the total number of processes. However, an important observation is that for a star topology consisting of N processes, much of the behaviour of the Central node processes depends upon whether the number of messages that have at ....

M. Browne, E. Clarke, and O. Grumberg, "Reasoning about networks with many identical finite state processes," Information and Computation, vol. 81, pp. 13--31, 1989.

....has been described by Barringer et al. BFG89] This uses a minimal form of closure developed by Gough [Gou84] To reduce the size of the state machine checked at any one time, compositional and compression techniques for state machines have been developed. See, for example Clarke et al. [CGB86, CG87]. Rather than checking a truly complete state machine, degrees of freedom such as input values can be left undefined. This reduces the number of states considerably, but obviously requires a more complex checking algorithm [Bro86] The algorithm described above represents a breadth first ....

E. M. Clarke, O. Gr umberg, and M. C. Browne. Reasoning about Networks with many identical Finite-State Processes. Technical report, Department of Computer Science, Carnegie Mellon University, December 1986.

....similar systems, it is often the case that the correctness properties are of the form : for every process P 16 holds , or for every pair of processes P holds . To express these properties concisely, it is convenient to use an indexed proposition set and quantification over the index set [RS 85, BCG 89] Quantified properties are represented here in the form x:R(x) f(x) where x is a non empty list of bound names, R is an expression denoting the range of these names, and f is a temporal logic formula with propositions indexed by these names. For example, mutual exclusion among a collection ....

....a fully automated technique, such as Model Checking [CE 81, CES 86] may be applied for the 22 verification of the parameterized system. The logic in which correctness properties are expressed is the branching time logic CTL without the next time operator X, which we denote by CTL nX [BCG 89] The semantics of this logic is presented in Chapter 2. Formulas of this logic are insensitive to stuttering (repeated occurrences of the same state) Since the formulas have to hold for rings of various sizes, it seems reasonable to make them free of next time requirements, which in general ....

[Article contains additional citation context not shown here]

Browne, M. C., Clarke, E. M., Grumberg, O. Reasoning about Networks with Many Identical Finite State Processes, Information and Computation, vol. 81, no. 1, April 1989.

....liveness(f) Example The tableau for f = AG(p#AX(A p 1 U p 2 ) is shown in Figure 1 on the following page. The initial states are 0 and 1, and the fairness condition is pos f #= 1#pos f #= 4#pos f #= 5 . We can characterize satisfaction of an ACTL formula f by the simulation order (see [19, 5]) between a Kripke structure and the tableau T f . This use of the simulation order was introduced by Long [15] Let S = Q,Q 0 , R,F) be a Kripke structure and T f = Q f , Q 0f , R f , F f ) the tableau for an ACTL formula f. A relation ##QQ f is a simulation of S by T f if the following ....

E. M. Clarke, O. Grumberg, and M. C. Browne. Reasoning about networks with many identical finite-state processes. In Proc. 5th ACM Symposium on Principles of Distributed Computing, pages 240--248, Calgary, Alberta, August 1986.

....all distinct pairs of user processes : V i6=j Ah(i; j) and V i6=j Eh(i; j) where h(i; j) is a linear time formula with atomic propositions over control process states, and over states of U indexed with either i or j. The formal semantics of these logics is defined in the usual way [Em 90, BCG 89, ES 95] and we write M; s j= f to mean that formula f is true in structure M at state s. 3 The abstract model For a given (C; U) family, we construct an abstract process A which includes all computations of every size instance of the family. Intuitively, a state (c; S) of A represents any ....

.... All of them, however, possess certain limitations, which is perhaps not surprising since the PMCP is undecidable in general (cf. AK 86] Su 88] Many of the methods are only partially automated, requiring human ingenuity to construct, e.g. a process invariant or closure process (cf. CG 87] BCG 89] KM 89] WL 89] Some could be fully automated but do not appear to have a clearly defined class of protocols on which they are guaranteed to succeed (cf. ShG 89] V 93] CGJ 95] Abstract graphs (for asynchronous systems) were considered in [ESr 90] for synthesis, V 93] for automatic ....

Browne, M. C., Clarke, E. M., Grumberg, O. Reasoning about Networks with Many Identical Finite State Processes, Information and Computation, vol. 81, no. 1, pp. 13--31, April 1989.

....1 and there is no process sending 0 , the next bus value is 1 . AG(insymbol :exists0sender exists1sender ) A(insymbol U (value = 1 :insymbol) While the properties above are global properties, the following are properties of every unit, expressed in an indexed temporal logic (cf. RS 85, BCG 89] C2c) In any global state where symbol transmission is in progress, and unit i is transmitting 0 , then its transmission inevitably succeeds, and unit i does not fail before the bus symbol is determined. V i AG(insymbol tr i symbol i = 0 ) A(insymbol U [ insymbol U (insymbol tr i ) ....

Browne, M. C., Clarke, E. M., Grumberg, O. Reasoning about Networks with Many Identical Finite State Processes, Information and Computation, vol. 81, no. 1, pp. 13--31, April 1989.

....a fully automated technique, such as Model Checking [CE 81, CES 86] may be applied for the verification of the parameterized system. The logic in which correctness properties are expressed is the branching time logic CTL without the next time operator X, which we denote by CTL nX [BCG 89] Such formulas are insensitive to stuttering (repeated occurences of the same state) Since the formulas are to hold of rings of various sizes, it seems reasonable to make them free of next time requirements, which will in general vary among rings of various sizes. It is, however, possible to ....

....specifically co RE. 14 7 Related Work and Conclusions Among related work, AK 86, Su 88] show that the problem of automatically checking a specification for every instance of a parameterized system is in general undecidable. Positive results include those of Clarke, Grumberg and Browne [CG 87, BCG 89] however, their method requires the manual construction of bisimulations or that of a closure process which represents computations of an arbitrary number of processes. KM 89] and [WL 89] introduce the related notion of a process invariant. All these methods rely on human ingenuity to manually ....

Browne, M. C., Clarke, E. M., Grumberg, O. Reasoning about Networks with Many Identical Finite State Processes, Information and Computation, vol. 81, no. 1, pp. 13--31, April 1989.

....with n nodes or more. The 8 advantage of this approach is that the system with n nodes has a finite number of states and can be checked using automatic model checking algorithm. The di#culty is showing that the induction is valid. In the first of these works, by Browne, Clarke and Grumberg [15], the user is required to show bisimulation [16] between a system with two nodes and a system with n nodes. The bisimulation relation, is su#cient to show that all indexed CTL properties of the two node system hold for all n node systems. The two node system is verified using a CTL model checking ....

....Each edge is labeled with a vector. In a VASS representing a parameterized system, the ith entry of a vector label has value a if a nodes are in state i. A model checking algorithm for PTL formulae on VASS models is developed and extended to include certain liveness properties. Both [18] and [15] consider only linear network topologies. Shtadler and Grum 9 berg [22] give an inductive argument for topologies generated by a context free network grammar. In a network grammar, the terminals represent primitive network elements and the productions combine the primitives to form networks. A ....

M.C. Browne, E.M. Clarke, and O. Grumberg, "Reasoning about networks with many identical finite state processes," Information and Computation, vol. 81, pp. 13--31, April 1989.

....states of the protocol have channels with order values of length at most 2. Thus, B induces a finite partition of the reachable state space. This fact can be exploited to model check the properties of the protocol, as described subsequently. 4. 2 Simple Token Ring Protocols In [EN 95] cf. BCG 89] stuttering bisimulation is used to show that for token rings of similar processes, a small cutoff size ring is equivalent to one of any larger size. EN 95] shows that the computation trees of process 0 in rings of size 2 and of size n, n 2, are stuttering bisimilar. It follows that a ....

Browne, M. C., Clarke, E. M., Grumberg, O. Reasoning about Networks with Many Identical Finite State Processes, Information and Computation, vol. 81, no. 1, pp. 13--31, April 1989.

....transmission is in progress, if there is a unit sending 1, and no unit sending 0, the next bus value is 1. AG(insym :E0sender E1sender ) at(value = 1) The properties above are global properties. The following are properties of every unit, expressed in an indexed temporal logic (cf. RS 85] BCG 89] C2c) In any global state where symbol transmission is in progress, every unit transmitting 0 succeeds, and continues to transmit until the next insym state. V i AG(insym tr i (sym i = 0) after (tr i ) C2d) In any global state where symbol transmission is in progress, and there is a ....

Browne, M. C., Clarke, E. M., Grumberg, O. Reasoning about Networks with Many Identical Finite State Processes, Information and Computation, vol. 81, no. 1, pp. 13--31, April 1989.

....results for some classes of infinite behaviour. The interested reader is referred to [Esparza 96] for a thorough discussion and survey of the work on this research area. So far, however, these techniques are unable to handle value passing and process communication over ISS PSs. CTL [Browne et al. 86] proposed a method to reason about networks containing an arbitrary number of similar finite state systems. The method, which involves the use of model checking, works by collapsing a large network into other, smaller, with fixed and manageable number of components. The conditions which guarantee ....

....of components. The conditions which guarantee that the original network and the shrunk network correspond impose limitations on the logic; in particular, the next time operator is not included, and certain properties, concerning the global state of a system, cannot be expressed. The method of [Browne et al. 86] applies only when the requirement about the similarity between the network subcomponents holds; this is in contrast with our approach, which imposes no restrictions or makes no assumptions about each network subcomponent. Furthermore, the method cannot handle infinite state systems; nor is it ....

M. C. Browne, E. M. Clarke, and O. Grumberg. Reasoning about networks with many identical finite state processes. ACM Symposium of Principles of Distributed Computing, 5, 1986. Also available from Carnegie Mellon University as research report No. CMUCS -86-155. 133 BIBLIOGRAPHY 134

....Thus, for systems composed of isomorphic finite state processes, a fully automated technique, such as Model Checking [CE 81,CES 86] may be applied for the verification of the infinite state parameterized system. Correctness properties are expressed in a stuttering insensitive sub logic, CTL nX [BCG 89] of the branching time logic CTL [EH 86] CTL nX allows all formulas of CTL that do not contain the next state operator X. Formulas in CTL nX are insensitive to stuttering , i.e. repeated occurrences of the same state label or non observable actions. As the correctness properties are to ....

....specifically co RE. 7 Related Work and Conclusions Among related work, AK 86,Su 88] show that the problem of automatically checking a specification for every instance of a parameterized system is in general undecidable. Positive results include those of Clarke, Grumberg and Browne [CG 87,BCG 89] however, their method requires the manual construction of bisimulations or that of a closure process which represents computations of an arbitrary number of processes. KM 89] and [WL 89] introduce the related notion of a process invariant. All these methods rely on human ingenuity 13 to ....

Browne, M. C., Clarke, E. M., Grumberg, O. Reasoning about Networks with Many Identical Finite State Processes, Information and Computation, vol. 81, no. 1, pp. 13--31, April 1989.

....the function rep of the covering graph procedure may be chosen so that rep(X) for a subset X of equivalent states, is the equivalence class that the states in X belong to. With this definition, since there is a finite number of equivalence classes, the covering graph construction terminates. In [BCG 89, EN 95] a method for verification of parameterized systems is proposed, which is to set up a family of bisimulations fBn jn mg between instances of size n m and the instance of size m. If this is possible, then the correctness property holds of all instances iff it holds on instances of sizes ....

Browne, M. C., Clarke, E. M., Grumberg, O. Reasoning about Networks with Many Identical Finite State Processes, Information and Computation, vol. 81, 1989.

....(e.g. ABJN99] are often semialgorithms, i.e. they do not guarantee the termination of the analysis. Other methods based on regular languages have been proposed in [AJ98, ABJN99, CGJ97] Among semi automatic methods that require the construction of abstractions or network invariants we mention [BCG89, MS91, CGJ97, Gra99, HQR99, KM89, LD90, WL89] Automated generation of invariants has been studied e.g. in [CGJ97, LHR97] Automated generation of abstract transition graphs for in nite state systems has been studied in [GS97] There are several state enumeration techniques for the veri cation ....

M. C. Browne, E. M. Clarke, O. Grumberg. Reasoning about Networks with Many Identical Finite State Processes. Information and Computation 81(1): 13-31, 1989.

....[Wa88] use partial specifications in order to take context constraints into account. Our method is an elaboration of theirs. It uses a more appropriate preorder and defines a concrete strategy for (semi )automatic proofs where the required user support is kept to a minimum. The methods proposed in [WoLo89,StGr89,KuMcM89,BCG86] are tailored to verify properties of classes of systems that are systematically built from large numbers of identical processes. These methods are somewhat orthogonal to ours. This suggests to consider a combination of both types of methods. 3 Representation of Processes In this section, we ....

M.C. Browne, E.M. Clarke and O. Grumberg. Reasoning about networks with many identical finite state processes, in ACM Symposium on Principle of Distributed Computing, 1986

....like ours (e.g. ABJN99] are often semi algorithms, i.e. they do not guarantee the termination of the analysis. Other methods based on regular languages have been proposed in [ABJN99, CGJ97] Among semi automatic methods that require the construction of abstractions and invariants we mention [BCG89, CGJ97, HQR99, McM99] Automated generation of invariants has been studied e.g. in [CGJ97, LHR97] Automated generation of abstract transition graphs for in nite state systems has been studied in [GS97] Symmetry reductions for parameterized systems have been considered, e.g. in [ID99, McM99, ....

M. C. Browne, E. M. Clarke, O. Grumberg. Reasoning about Networks with Many Identical Finite State Processes. Information and Computation 81(1): 13-31, 1989.

....we eventually reach a state from which, no matter how we continue, no requests are sent) as in 8CTL. In both cases, the more behaviors the system has, the harder it is for the system to satisfy the requirements. Indeed, universal temporal logics induce the simulation order between systems [Mil71, CGB86] That is, a system M simulates a system M 0 if and only if all universal temporal logic formulas that are satisfied in M 0 are satisfied in M as well. On the other hand, formulas of non universal temporal logics, such as CTL and CTL , may also impose possibilityrequirements on the system ....

E.M. Clarke, O. Grumberg, and M.C. Browne. Reasoning about networks with many identical finite-state processes. In Proc. 5th ACM Symposium on Principles of Distributed Computing, pages 240--248, Calgary, Alberta, August 1986.

.... of induction [EN95] on the other hand, methods for eliminating induction in certain cases have been proposed by either choosing a canonical parameterized representation [GF93] or by reducing the parameterized checking problem to a few finite model checking problems of fixed size [KM89, McM92, MCB89] Common to these approaches to reducing parameterized systems is their linear structure, i.e. the constant difference (by some measure) of the structures of successive instantiations of the parameterized system. Two ideas for expanding the class of parameterized problems that can be handled in ....

O. G. M. C. Brown, E. C. Clarke. Reasoning about networks with many identical finite state processes. Information and Computation, 81(1), April 1989.

....de transiciones tiene un tama no exponencial en el n umero de las variables de sincronizaci on y los dominios de estas variables. Incluso frecuentemente es imposible tener el grafo total en la memoria. Por eso han desarrollado tratamientos para comprimir y descomponer el grafo de transiciones ([CGB86, CG87]) Browne modifica en [BCDM86] el algoritmo de Clarke, Emerson y Sistla de modo que puede trabajar con grafos cuyas transiciones est an marcadas con condiciones. Para aplicar el algoritmo original hace falta un grafo que realica condiciones a nadiendo un propio estado para cada combinaci on ....

E. M. Clarke, O. Grumberg, M. C. Browne. Reasoning about networks with many identical finite-state processes. Technical report, Department of Computer Science, Carnegie Mellon University, 1986.

....very large systems. Yet, systems larger than 10 20 cannot be automatically analysed. We have also shown that L automata induction methods may help treat systems with an unbounded number of states. Other methods have been proposed to deal with systems parametrized on the number of components [54], 55] None of the induction methods appear to lend themselves to automation, however. These two limitations of discrete event models point to future research directions. The computational barriers may be overcome by parallel algorithms for formal verification which may take advantage of emerging ....

M. C. Browne, E. M. Clarke, and O. Grumberg, "Reasoning about networks with many identical finite state processes," in ACM Symp. Principles of Distributed Computing, no. 5, 1986.

....paper is not quite the CSP standard one of [9, 14] We remark that this provides a completely different combination of data independence and induction to the one we will shortly describe. Other approaches for proving properties of systems of arbitrary size have included the use of temporal logic [1, 2, 8, 16]. Just because a property is true of all the systems constructed by set of structural rules does not guarantee that it can be proved inductively. Ideas such as strengthening the hypothesis frequently help, but can require considerable ingenuity. The main limitation on this method is that it can ....

M.C. Browne, E.M. Clarke and O. Grumberg, Reasoning about Networks with Many Identical Finite State Processes, Information and Computation, 81(1), 13-31, April 1989.

....paper is not quite the CSP standard one of [9, 14] We remark that this provides a completely di erent combination of data independence and induction to the one we will shortly describe. Other approaches for proving properties of systems of arbitrary size have included the use of temporal logic [1, 2, 8, 16]. Just because a property is true of all the systems constructed by a set of structural rules does not guarantee that it can be proved inductively. Ideas 4 such as strengthening the hypothesis frequently help, but can require considerable ingenuity. The main limitation on the induction method, ....

M.C. Browne, E.M. Clarke and O. Grumberg, Reasoning about Networks with Many Identical Finite State Processes, Information and Computation, 81(1), 13-31, April 1989.

....discovering classes of PVP that either are decidable, or where there are at least techniques that have a reasonable chance of resolving the issue. A variety of techniques have been proposed for addressing versions of the PVP, the most prominent of which are induction over network size structure [20, 1, 14, 15] and data independence analysis (see [19, 9, 7] for our work see below) Using the latter it can often be shown that for a data type parameter T it is sufficient to consider a given finite data type (or perhaps a finite selection of finite data types) to prove a result for all types, or that it ....

Browne, M., E.M. Clarke and O. Grumberg, Reasoning About Networks with Many Identical Finite State Processes, Information and Computation 81 (1), 13--31, 1989.

....Our method is inspired to [GS92,EN96,EN98,EFM99] where the authors present decidability results for proper subclasses of the EFSMs we consider in this paper and relate them to veri cation problems of parameterized systems. Semi automatic methods for parameterized system have been investigated in [BCG89,CGJ97,DDH 92,KM89,LD90,MS91,WL89] whereas abstraction techniques for parameterized systems have been investigated in [GS97,LHR97,LS97] another source of inspiration for our work) In [ACJT96,BGP97,DP99] constraints are used as symbolic representation of (potentially in nite) sets of ....

M. C. Browne, E. M. Clarke, O. Grumberg. Reasoning about Networks with Many Identical Finite State Processes. Information and Computation 81(1): 13-31, 1989.

....of instances with a large number of processes, traditional nite state veri cation techniques su er from the state explosion problem. Alternative techniques are necessary in order to reason on (possibly in nite) families of processes. Network invariants [KM89,WL89,LHR97] bisimulation relations [BCG89] theorem proving [LD90] regular languages [ABJN99,PD95] network grammars [CGJ97] abstract interpretation [LS97] search procedures [GS92,EN98] well structured systems [AJ98] are examples of techniques used to attack di erent instances of the problem. Though in general the veri cation ....

....in this case. Relaxation methods (abstractions with polyhedra) for integer or hybrid systems have been studid in [CH78,DP99,Hal93,HPR94,HH95,HHW97] Several other approaches exist to attack the veri cation problem of parameterized concurrent systems. Among semiautomatic methods we mention [BCG89,CGJ97,KM89,LD90,WL89] Automated generation of invariants has been studied, e.g. in [CGJ97,LHR97] The theory of well quasi orderings has been applied to networks of timed systems in [AJ98] 6 Conclusions We have proposed a methodology to verify safety properties for parameterized system with ....

M. C. Browne, E. M. Clarke, O. Grumberg. Reasoning about Networks with Many Identical Finite State Processes. Information and Computation 81(1): 13-31, 1989.

....like ours (e.g. ABJN99] are often semi algorithms, i.e. they do not guarantee the termination of the analysis. Other methods based on regular languages have been proposed in [ABJN99,CGJ97] Among semi automatic methods that require the construction of abstractions and invariants we mention [BCG89,CGJ97,HQR99,McM99] Automated generation of invariants has been studied e.g. in [CGJ97,LHR97] Automated generation of abstract transition graphs for in nite state systems has been studied in [GS97] Symmetry reductions for parameterized systems have been considered, e.g. in [ID99,McM99,PD95] ....

M. C. Browne, E. M. Clarke, O. Grumberg. Reasoning about Networks with Many Identical Finite State Processes. Information and Computation 81(1): 13-31, 1989.

....use partial specifications in order to take context constraints into account. Our method is an elaboration of theirs. It uses a more appropriate preorder and defines a concrete strategy for (semi )automatic proofs where the required user support is kept to a minimum. The methods proposed in [BCG86, KM89, SG89, WL89] are tailored to verify properties of classes of systems that are systematically built from large numbers of identical processes. These methods are somewhat orthogonal to ours. This suggests to consider a combination of both types of methods. In practice, Binary Decision ....

M.C. Browne, E.M. Clarke, and O. Grumberg. Reasoning about networks with many identical finite state processes. ACM Symposium on Principle of Distributed Computing, 1986.

....the correctness of the verification. To exploit symmetry, the orbit relation and a representative for each orbit have to be determined, which can lead to very complex computations and demand an experienced user. Other approaches try to prove properties for systems with many identical processes [4] or rings of processes [11] These methods also require the manual proof of preconditions and make restrictions to both the system and the properties which can be shown. Our approach provides a different way to reduce memory consumption. Taking advantage of the modular structure of a system only ....

M. C. Browne, E. M. Clarke, and O. Grumberg. Reasoning about networks with many identical finite state processes. Information and Computation, 81(1):13--31, Apr. 1989.

....re evaluated. Since the verification of cache protocols falls into a special class of verification problems in which the system is composed of identical processes, research on reasoning about the correctness of systems with identical component processes is relevant to this survey. Browne et al. [12] verified systems with many identical finite state processes by finding a correspondence between two (global state) structures M and M representing systems of manageable and overwhelming complexities respectively. A given relation E determines whether there is a correspondence relation between ....

Browne, M.C., Clarke, E.M. and Grumberg, O., "Reasoning about Networks with Many Identical Finite State Processes", Information and Computation 81, 13-31 (1989).

....see [7] for a somewhat exhaustive list. The purpose of this paper is to grasp the practical idea behind several of these methods by using them for the protocol with n stations, and to see how they compare. The three approaches wehave considered are: deductive reasoning [10] correspondence [1] and structural induction [9] For all these methods we have formalized no collision as a temporal logic formula. The approach of [10] advocates a deductive reasoning based on the transition system of the program to verify. swb uses graphical facilities, a la Statechart, and the states of ....

....such that model checking is feasible. This idea works for the protocol when one notices the following: for one station, the difference between running with k or n other stations is how long the station has to listen to the others, k or n times. By establishing a correspondence in the sense of [1] one shrinks the listening time of 2 stations running among n stations to the listening time of 2 stations running among 3 2 stations. Such a correspondence respects the labeling of the Kripke structure. Thus any property expressed in the temporal logic CTL proved for 2 stations running among ....

[Article contains additional citation context not shown here]

M.C. Browns, E.M. Clarke, and O. Grumberg. Reasoning about networks with many identical finite state processes. Information and Computation, 81:13--31, 1989.

....hard and we can only rely on semi decision procedures or, as in this work, approximation algorithms to answer them. Otherwise, we can also investigate to find out decidable subclasses of the problem. In the following, we briefly describe some of the related work. Browne, Clarke, and Grumberg [5] use bisimulation equivalence relation between global state graphs of systems of different sizes. The equivalence relation must be strong enough for the method to work. Thus the construction of the equivalence relation is difficult to mechanize. Clarke, Grumberg, and Jha[11] propose to use regular ....

M.C. Browne, E.M. Clarke, O. Grumberg. Reasoning about Networks with Many Identical Finite State Processes. Information and Computation 81, 13-31, 1989.

....behavior specification at a high level of abstraction. Although the logic is powerful, finding the simulation relation is a difficult and inefficient procedure. Methods for reasoning about protocol correctness independently of system sizes have been explored by several researchers. Browne et al. [6] verified systems with many identical finite state processes by finding a correspondence between two (global state) structures M and M representing systems of manageable and overwhelming complexities respectively. A given relation E can determine whether there is a correspondence relation ....

Browne, M.C., Clarke, E.M. and Grumberg, O., "Reasoning about Networks with Many Identical Finite State Processes", Information and Computation 81, 13-31 (1989).

....semantics is assumed. Initially the queue is empty and all variables (including q p s) contains zeros. Note a process enters critical section only when it is the queue head. Since at any moment, there is only one queue head, mutual exclusion is guaranteed. k Unlike the previous approaches[2, 7, 8, 11, 12, 15, 16], we model our problem as safety bound problem which, given a property j and a safety bound C, asks if there is a computation of a system implemented with some processes such that along the computation, at some moment, more than C processes satisfy j. Such a framework can be used to model ....

....hard and we can only rely on semi decision procedures or, as in this work, approximation algorithms to answer them. Otherwise, we can also investigate to find out decidable subclasses of the problem. In the following, we briefly describe some of the related work. Browne, Clarke, and Grumberg [7] use bisimulation equivalence relation between global state graphs of systems of different sizes. The equivalence relation must be strong enough for the method to work. Thus the construction of the equivalence relation is difficult to mechanize. Clarke, Grumberg, and Jha[11] propose to use regular ....

M.C. Browne, E.M. Clarke, O. Grumberg. Reasoning about Networks with Many Identical Finite State Processes. Information and Computation 81, 13-31, 1989.

....that should hold in all computations of the system. These requirements may be either linear or branching. In both cases, the more behaviors the system has, the harder it is for the system to satisfy the requirements. Indeed, universal temporal logics induce the simulation order between systems [Mil71, CGB86]. That is, a system M simulates a system M 0 if and only if all universal temporal logic formulas that are satisfied in M are satisfied in M 0 as well. It follows that traditional model checking methods are applicable also for the verification of open systems with respect to universal ....

E.M. Clarke, O. Grumberg, and M.C. Browne. Reasoning about networks with many identical finite-state processes. In Proc. 5th PODC, pages 240--248, 1986.

....distinct pairs of user processes : V i6=j Ah(i; j) and V i6=j Eh(i; j) where h(i; j) is a linear time formula with atomic propositions over control process states, and over states of U indexed with either i or j. The formal semantics of these logics is defined in the usual way [Em 90, BCG 89, ES 95] and we write M; s j= f to mean that formula f is true in structure M at state s. 3 The abstract model For a given (C; U ) family, we construct an abstract process A which includes all computations of every size instance of the family. Intuitively, a state (c; S) of A represents any ....

.... All of them, however, possess certain limitations, which is perhaps not surprising since the PMCP is undecidable in general (cf. AK 86] Su 88] Many of the methods are only partially automated, requiring human ingenuity to construct, e.g. a process invariant or closure process (cf. CG 87] BCG 89] KM 89] WL 89] Some could be fully automated but do not appear to have a clearly defined class of protocols on which they are guaranteed to succeed (cf. ShG 89] V 93] CGJ 95] Abstract graphs (for asynchronous systems) were considered in [ESr 90] for synthesis, V 93] for automatic ....

Browne, M. C., Clarke, E. M., Grumberg, O. Reasoning about Networks with Many Identical Finite State Processes, Information and Computation, vol. 81, no. 1, pp. 13--31, April 1989.

.... logic [CES86, EL85b, EL85a, Bro86] and temporal calculi [EL86, Var88, Cle90, SW89] It has been extended to probabilistic [Var85, PZ86, VW86, CY90] as well as realtime programs and logics [ACD90, AH90, HLP90] It has been adapted to programs containing arbitrary numbers of identical processes [CGB86, CG87, GS87, WL89, KM89] Methods for making it applicable to very large systems have been investigated [BCM 90, CMB90, CVWY90, GS90] Moreover, the results from its experimental use have been very encouraging [RRSV87, BCD85] What more can be said about it In spite of all its success, ....

E. M. Clarke, O. Grumberg, and M. C. Browne. Reasoning about networks with many identical finite-state processes. In Proc. 5th ACM Symposium on Principles of Distributed Computing, pages 240--248, Calgary, Alberta, August 1986.

....proven correct and then used in the final verification proof, or induction hypotheses when per2 forming inductive proofs. It is often not obvious which help lemmas or which induction hypotheses to provide. Several approaches for automatic verification have been presented in the past. Clarke et al. [CGB86] present a method to automate verification of systems composed of many identical processes. The verification of a system with an arbitrary number of processes is reduced to the verification of a system with a fixed number of processes. The method of Clarke is used to prove synchronization ....

E. M. Clarke, O. Grumberg, and M. C. Browne. Reasoning about networks with many identical finite state processes. In ACM PoDC, 1986.

....[8, 9, 15, 17] Furthermore, specifications that make use of both since and until operators are often simpler than those that involve only the until operator. The logics of [8, 9, 15, 17, 19, 21, 22] all include the next operator. However, there is growing consensus among computer scientists [3, 4, 11, 13] that the next operator is not conducive to good specifications. Although the next operator is potentially useful when describing a single sequential program at the statement level, it is less useful for describing concurrent systems. In the design of a concurrent system, we must reason separately ....

M. C. Browne, E. M. Clarke and O. Grumberg, "Reasoning about networks with many identical finite state processes," Information and Computation, vol. 81, no. 1, April 1989, pp. 13-31.

....machines or processes, i.e. instances of the same ( nite) protocol. Given a system S(n) consisting of n 2 instances of the same protocol and a property P (n) on S(n) we would like to verify, whether or not S(n) satis es P (n) for any value of n. The problem is depicted 2 in Figure 1. In (Clarke, Gr#mberg and Browne 1986b) it is proven that this problem is not semi decidable in general, even if P (n) is a very simple temporal property. In addition, the problem remains undecidable, even if S(n) is a unidirectional ring of identical nite state machines, whose con guration is independent of the value of n and only ....

....a process P 1 is less than or equal to a process P 2 if and only if P 1 implements P 2 or equivalently P 2 is an approximation of P 1 , i.e. is less deterministic than P 2 . Two processes are considered identical, if they cannot be distinguished by any nite sequence of observable transitions (Clarke et al. 1986b) Kurshan and McMillian do the induction veri cation in three steps. In the 9 rst step it is checked that the invariant process is greater in the partial order than the composition of some nite number n of processes. Next in the induction step it is checked, whether the composition of the ....

[Article contains additional citation context not shown here]

Clarke, E. M., Gr#mberg, O. and Browne, M. C. (1986b). Reasoning about Networks with Many Identical Finite-State Processes, Proceedings of the 5th Annual ACM Symposium on Principles of Distributed Computing, Calgary, Canada, August 1113, 1986, Association for Computing Machinery, Baltimore MD, pp. 240248.

No context found.

Browne, M., Clarke, E., and Grumberg, O. 1989. Reasoning about networks with many identical finite-state processes. Inf. Comput. 81, 1 (Apr.), 13--31.

....the correctness of a system configured with a fixed number of processors or other components, it is natural to ask whether this number is enough in some sense to represent a system with any number of components. The first researchers to tackle this question were Browne, Clarke and Grumberg [28], who extended the logic CTL to a logic called indexed CTL. This logic allows the restricted use of process quantifiers as in the formula W i f (i) which means that the formula f holds for some process i. Restricting the use of these quantifiers and eliminating the next time operator makes it ....

E. M. Clarke, O. Grumberg, and M. C. Browne. Reasoning about networks with many identical finite-state processes. In Proceedings of the Fifth Annual ACM Symposium on Principles of Distributed Computing., pages 240--248. ACM, August 1986.

No context found.

E.M. Clarke, O. Grumberg, and M.C. Browne. Reasoning about networks with many identical finite-state processes. In Proc. 5th ACM Symp. on Principles of Distributed Computing, pages 240--248, Calgary, Alberta, August 1986.

No context found.

M. C. Browne, E. M. Clarke, and O. Grumberg. Reasoning about networks with many identical finite state processes. Information and Computation, 81:13--31, 1989.

No context found.

Browne, M.C., Clarke, E.M. and Grumberg, O., "Reasoning about Networks with Many Identical Finite State Processes", Information and Computation 81, 1989, pp. 13-31.

No context found.

M. C. Browne, E. M. Clarke, and O. Grumberg. Reasoning about networks with many identical finite-state processes. Information and Computation, 81:13--31, 1989.

No context found.

M. C. Browne, E. M. Clarke, O. Grumberg. Reasoning about Networks with Many Identical Finite State Processes. Information and Computation 81(1): 13-31, 1989.

No context found.

M.C. Browne, E.M. Clarke and O. Grumberg, Reasoning about Networks with Many Identical Finite State Processes, Information and Computation, 81(1), 13-31, April 1989.

No context found.

M.C. Browne, E.M. Clarke and O. Grumberg. Reasoning about Networks with Many Identical Finite State Processes. Information and Control, 81(1), pages 13-31, April 1989.

No context found.

Clarke, E. M., Grumberg, O. and Browne, M.C., Reasoning about Networks with Many Identical Finite State Processes, Proc. 5th ACM PODC, 53 pp. 240-248, 1986.

First 50 documents  Next 50

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC